RHEL7: Configure SSH key-based authentication.

Presentation

Instead of connecting through login/password to a remote host, SSH allows you to use key-based authentication. To set up key-based authentication, you need two virtual/physical servers that we will call server1 and server2.

[user01@server1 ~]$ ssh-copy-id -i .ssh/id_rsa.pub user01@server2.example.com
The authenticity of host 'server2.example.com (192.168.1.49)' can't be established.
ECDSA key fingerprint is 67:79:67:88:7f:da:31:49:7b:dd:ed:40:af:ae:b6:ae.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user01@server2.example.com's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'user01@server2.example.com'"
and check to make sure that only the key(s) you wanted were added.

On the server2, edit the /etc/ssh/sshd_config file and set the following options:

The PermitRootLogin no directive is mainly necessary if you don’t use key-based authentication. If you use key-based authentication, you can set it or not, there is no strict requirement.
Also, if you use a configuration management tool like Ansible, you will have to allow Ansible to connect as root on your servers to apply the needed changes, and you will not be able to use the PermitRootLogin no directive anymore.
During the exam, I don’t think wasting time with this directive will be useful.

1 year ago

Member

redhat0329

Thanks CertDepot!

1 year ago

Member

alexritm

Hello,
I cannot ssh-copy-id for user created on IPA server (ipa user-add). I cant even log in via SSH under this user. For local users it works.
Is it a problem in terms of the exam? Should I dig into it?